Professional Documents
Culture Documents
BEST PRACTICES:
I N C O M I N G & O U T G O I N G C O N T E N T F I LT E R S
September 2015
Version 1.0.1
Dalton
Hamilton
Cisco
Sales
Engineer
https://cisco.com/go/emailsecurity-customer
ESA Incoming and Outgoing Content Filters - Best Practices
THE MOST RECENT VERSION OF THIS DOCUMENT CAN BE FOUND HERE: 1
2
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer Facing.
ESA Incoming and Outgoing Content Filters - Best Practices
Content Filters allow you to inspect the intricate details of an Email and take Actions (or no
Action) on the Email. Once the Incoming or Outgoing Content Filter is created, you
apply it to a Incoming or Outgoing Mail Policy. When any Email matches the Content
Filter, the ’Content Filters’ Report on the ESA and SMA will be able to show you all email
that matched any Content Filter. Therefore, even if no Action is taken, it is an excellent
way to obtain valuable information about the type of emails entering and leaving your
organization — allowing you to “Pattern” your email flow.
As there are many different Content Filter ‘Conditions’ and ‘Actions’, this document will
step you through some very common and recommended Incoming and Outgoing Content
Filters.
OVERVIEW OF STEPS
Step3: Create the Incoming and Outgoing Content Filters and Apply to Policies
Once we have the dictionaries imported and the Quarantines created, we will create the
Inbound Content Filters and apply them to the Incoming Mail Policies and then create the
Outgoing Content Filters and apply them to the Outgoing Mail Policies.
3
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer Facing.
ESA Incoming and Outgoing Content Filters - Best Practices
Click the “Import Dictionary” button on the right side of the page.
Profanity:
• Select “Import from the configuration directory on your IronPort appliance”
• Select “profanity.txt” and click “Next”.
• Name: Profanity
• Click the “Match whole words” (VERY IMPORTANT)
• Modify the terms (add new terms or remove unwanted terms)
• Click Submit
SexualContent:
• Select “Import from the configuration directory on your IronPort appliance.” Select the
“sexual_content.txt” and click “Next”.
• Name: SexualContent
• Click the “Match whole words” (VERY IMPORTANT)
• Modify the terms (add new terms or remove unwanted terms)
• Click Submit
Proprietary:
• Select “Import from the configuration directory on your IronPort appliance.” Select the
“proprietary_content.txt” and click “Next”.
• Name: Proprietary
• Click the “Match whole words” (VERY IMPORTANT)
• Modify the terms (add new terms or remove unwanted terms)
• Click Submit
4
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer Facing.
ESA Incoming and Outgoing Content Filters - Best Practices
STEP 2: C R E AT I N G T H E C E N T R A L I Z E D Q U A R A N T I N E S
On the SMA, navigate to: Email Tab > Message Quarantine > PVO Quarantines
This is what the Quarantines table should look like before we start. All quarantines are
default.
Click the “Add Policy Quarantine…” button and Create the below Quarantines. Some will be
used by Incoming Content Filters and some will be used by Outgoing Content Filters. You
create them in the same manner.
PVO Quarantines - used by Incoming Content Filters
URL Malicious Inbound: SPF Hard Fail:
Name: URL Malicious Inbound Name: SPF Hard Fail
Retention Period: 14 Days Retention Period: 14 Days
Default Action: Delete Default Action: Delete
Free up space: Enable Free up space: Enable
URL Category Inbound: SPF Soft Fail:
Name: URL Category Inbound Name: SPF Soft Fail
Retention Period: 14 Days Retention Period: 14 Days
Default Action: Delete Default Action: Delete
Free up space: Enable Free up space: Enable
Bank Data Inbound: SpoofMail:
Name: Bank Data Inbound Name: SpoofMail
Retention Period: 14 Days Retention Period: 14 Days
Default Action: Delete Default Action: Delete
Free up space: Enable Free up space: Enable
SSN Inbound: DKIM Hard Fail:
Name: SSN Inbound Name: DKIM Hard Fail
Retention Period: 14 Days Retention Period: 14 Days
Default Action: Delete Default Action: Delete
Free up space: Enable Free up space: Enable
Inappropriate Inbound: Password Protected Inbound:
Name: Inappropriate Inbound Name: Pwd Protected Inbound
Retention Period: 14 Days Retention Period: 14 Days
Default Action: Delete Default Action: Delete
Free up space: Enable Free up space: Enable
5
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer Facing.
ESA Incoming and Outgoing Content Filters - Best Practices
Here is how your PVO table should look after creating all of the PVO Quarantines.
6
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer Facing.
ESA Incoming and Outgoing Content Filters - Best Practices
STEP 3: C R E AT I N G T H E I N C O M I N G C O N T E N T F I LT E R S
Once the Dictionaries have been imported and the PVO Quarantines have been created,
you can now start creating the Incoming Content Filters:
Here is a table of Incoming Content Filters you should create. For example purposes, below the
table is a screenshot exemplifying how to create the first one.
Name: Bank_Data
Add Two Conditions:
Message Body or Attachment:
Contains Smart Identifier: ABA Routing Number
Contains Smart Identifier: Credit Card Number
Add One Action:
Quarantine:
Send message to quarantine: “Bank Data Inbound (centralized)”
Duplicate message: Enabled
(Note the Apply Rule should be “If one or more conditions match”)
Name: SSN
Add One Condition:
Message Body or Attachment:
Contains Smart Identifier: Social Security Number (SSN)
Add One Action:
Quarantine:
Send message to quarantine: “SSN Inbound (centralized)”
Duplicate message: Enabled
Name: Inappropriate
Add Two Conditions:
Message Body or Attachment:
Contains term in dictionary: Profanity
Contains term in dictionary: Sexual_Content
Add One Action:
Quarantine:
Send message to quarantine: “Inappropriate Inbound (centralized)”
Duplicate message: Enabled
7
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer Facing.
ESA Incoming and Outgoing Content Filters - Best Practices
Name: URL_Category
Add One Condition:
URL Category:
Select Categories:
Adult, Dating, Filter Avoidance, Freeware and Shareware, Gambling,
Games, Hacking, Lingerie and Swimsuits, Non-sexual Nudity,
Parked Domains, Peer File Transfer, Pornography
Add One Action:
Quarantine:
Send message to quarantine: “URL Category Inbound (centralized)”
Duplicate message: Enabled
*** Note: This Content Filter requires that you enable “Security Services”—> “URL Filtering”
Name: URL_Malicious
Add One Condition:
URL Reputation:
URL Reputation is: Malicious (-10.0 to -6.0)
Add One Action:
Quarantine:
Send message to quarantine: “URL Malicious Inbound (centralized)”
Duplicate message: Disabled (**** Quarantine the original ****)
Name: Password_Protected
Add One Condition:
Attachment Protection: One or more attachments are protected
Add One Action:
Quarantine:
Send message to quarantine: “Pwd Protected Inbound (centralized)”
Duplicate message: Enabled
Name: Size_10M
Add One Condition:
Message Size is:
Greater than or equal to: 10M
Add One Action:
Add Message Tag:
Enter a Term: NOOP
(Note: There must be some action so here we “Tag” the message to represent no operation taken.
The fact that the content filter was “Matched” will allow it to show up in reporting. No ‘Action”
need be taken for it to show in Reporting.)
8
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer Facing.
ESA Incoming and Outgoing Content Filters - Best Practices
Name: SPF_Hard_Fail
Add One Condition:
SPF Verification: “is” Fail
Add One Action:
Quarantine:
Send message to quarantine: “SPF Hard Fail (centralized)”
Duplicate message: Enabled
(Note: “is Fail” is a Hard SPF failure and it means the owner of the domain is telling you to drop
all emails received from senders that are not listed in their SPF record. Initially, it is a good idea
to use “Duplicate message” and review the failures for a week or two before quarantining the
original (i.e. turning off duplicate message).
Name: SPF_Soft_Fail
Add One Condition:
SPF Verification: “is” Softfail
Add One Action:
Quarantine:
Send message to quarantine: “SPF Soft Fail (centralized)”
Duplicate message: Enabled
Name: DKIM_Hardfail_Copy
Add One Condition:
DKIM Authentication: “is” Hardfail
Add Two Actions:
Add/Edit Header:
Header Name: Subject
Click “Prepend to the Value of Existing Header” and enter: [Copy - Do Not Release]”
Quarantine:
Send message to quarantine: “DKIM Hard Fail (centralized)”
Duplicate message: Enabled
Name: DKIM_Hardfail_Original
Add One Condition:
DKIM Authentication: “is” Hardfail
Add One Action:
Quarantine:
Send message to quarantine: “DKIM Hard Fail (centralized)”
Duplicate message: Disabled
(Note: We will be creating another Incoming Mail Policy row for PayPal and Ebay domains and
will use this Content Filter for domains that we know should pass DKIM Verification.)
9
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer Facing.
ESA Incoming and Outgoing Content Filters - Best Practices
Name: Spoof_SPF_Failures
Add One Condition but it has BOTH Softfail and Hardfail checked:
SPF Verification: “is” Softfail and also click on “Fail”
(so you have two checkboxes clicked “Softfail” and “Fail”
Add One Action:
Quarantine:
Send message to quarantine: “SpoofMail (centralized)”
Duplicate message: Enable
(Note: We will use this Content Filter to take action for incoming email pretending to send from
your own domain — spoofing. Start with the action set to quarantine a copy and after a couple of
weeks of reviewing the SpoofMail quarantine, you can modify your SPF TXT DNS record to add
all legitimate senders and at some point you can change this content filter to quarantine the
original by disabling the duplicate message checkbox.)
As an example, this is what the Bank_Data Content Filter should look like before you
Submit:
After creating all of the Incoming Content Filters, the table should now look like this:
Because the “Policies” function is selected (you’ll see the Polices hypertext at the top
middle) the middle column shows the Incoming Mail Policies the Content Filter has been
applied to. Because we have not applied them to any Incoming Mail Policy, the “Not in use”
is displayed.
10
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer Facing.
ESA Incoming and Outgoing Content Filters - Best Practices
Click on the “Disabled” text in the Content Filters cell for the Default Policy.
The pull-down menu button is set to “Disable Content Filters”. Click the button and set to
“Enable Content Filters” and you will immediately be presented with all Incoming Content
Filters that have been created. Enable all filters except the DKIM_Hardfail_Original, and
Spoof_SPF_Failures.
11
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer Facing.
ESA Incoming and Outgoing Content Filters - Best Practices
DKIM Verification for Ebay & Paypal and Spoof Email Protection for your domain
Those two topics will involve Content Filters that utilize DKIM Verification and SPF
Verification. Therefore, we must first ensure both DKIM and SPF Verification are enabled.
Step 1: Enable DKIM and SPF Verification within Mail Flow Policies
Navigate to: Mail Policies —> Mail Flow Policies
Enable DKIM and SPF Verification within all Mail Flow Policies that have “Connection
Behavior” of “Accept”.
Click on the bottom hypertext “Default Policy Parameters” and set “DKIM Verification” to “On”
and “SFP/SIDF Verification” to “On”.
Click Submit.
Look at the column named “Behavior” and edit any Mail Flow Policy with the Behavior set to
“Relay” to turn “Off” both DKIM and SPF Verification for those Mail Flow Policies. We do
not want the ESA to perform DKIM or SPF verification for email received into the ESA
from your Exchange Mail Server heading outbound. In most configurations the “RELAYED”
Mail Flow Policy is the only row with the Behavior of Relay.
Step 2: Create a new Incoming Mail Flow Policy for Ebay and Paypal
Inbound Email received from Ebay and Paypal should always pass DKIM verification. We
will therefore create another Incoming Mail Policy to use the DKIM_Hardfail_Original
Incoming Content Filter for email from those domains.
The next configuration panel lets you define what messages will match this new Incoming
Mail Policy. We only want to define criteria for the Sender (the left portion of the
configuration panel).
Click “Following Senders” radio button and in the Email Addresses table enter “@ebay.com,
@paypal.com”
12
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer Facing.
ESA Incoming and Outgoing Content Filters - Best Practices
Click Submit.
You are presented with the Incoming Mail Policies table again but now you have a new
Mail Policy row above the Default Policy.
Click the (use default) hypertext in the Content Filters cell for the new row.
Step 3: Create a new Incoming Mail Flow Policy for Your Domain (Spoof Protection)
The steps in this section will allow you take action on Incoming email that has a From
email address of your own domain and that are failing SPF verification. Of course this
relies on you having already published your SPF Text Record in DNS. Skip these steps if
you have not created/published a SPF Text Resource record for your domain.
13
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer Facing.
ESA Incoming and Outgoing Content Filters - Best Practices
The next configuration panel lets you define what messages will match this new Incoming
Mail Policy row. You only want to define criteria for the Sender (which is the left portion
of the configuration panel).
Click “Following Senders” radio button and then enter your domain in the “Email Address:”
text box. For me, my domain is “@unc-hamiltons.com”
Click Submit.
You are presented with the Incoming Mail Policies table again but now you have a second new
Mail Policy row above the Default Policy.
Click the (use default) hypertext in the Content Filters cell for the new row.
The Incoming Mail Policies table should now look like this:
14
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer Facing.
ESA Incoming and Outgoing Content Filters - Best Practices
STEP 4: C R E AT I N G T H E O U T G O I N G C O N T E N T F I LT E R S
Name: Bank_Data
Add Two Conditions:
Message Body or Attachment:
Contains Smart Identifier: ABA Routing Number
Contains Smart Identifier: Credit Card Number
Add One Action:
Quarantine:
Send message to quarantine: “Bank Data Outbound (centralized)”
Duplicate message: Enabled
(Note the Apply Rule should be “If one or more conditions match”)
Name: SSN
Add One Condition:
Message Body or Attachment:
Contains Smart Identifier: Social Security Number (SSN)
Add One Action:
Quarantine:
Send message to quarantine: “SSN Outbound (centralized)”
Duplicate message: Enabled
Name: Inappropriate
Add Two Conditions:
Message Body or Attachment:
Contains term in dictionary: Profanity
Contains term in dictionary: Sexual_Content
Add One Action:
Quarantine:
Send message to quarantine: “Inappropriate Outbound (centralized)”
Duplicate message: Enabled
15
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer Facing.
ESA Incoming and Outgoing Content Filters - Best Practices
Name: URL_Category
Add One Condition:
URL Category:
Select Categories:
Adult, Dating, Filter Avoidance, Freeware and Shareware, Gambling,
Games, Hacking, Lingerie and Swimsuits, Non-sexual Nudity,
Parked Domains, Peer File Transfer, Pornography
Add One Action:
Quarantine:
Send message to quarantine: “URL Category Outbound (centralized)”
Duplicate message: Enabled
Name: URL_Malicious
Add One Condition:
URL Reputation:
URL Reputation is: Malicious (-10.0 to -6.0)
Add One Action:
Quarantine:
Send message to quarantine: “URL Malicious Outbound (centralized)”
Duplicate message: Disabled (**** Quarantine the Original ****)
Name: Password_Protected
Add One Condition:
Attachment Protection: One or more attachments are protected
Add One Action:
Quarantine:
Send message to quarantine: “Pwd Protected Outbound (centralized)”
Duplicate message: Enabled
Name: Size_10M
Add One Condition:
Message Size is:
Greater than or equal to: 10M
Add One Action:
Add Message Tag:
Enter a Term: NOOP
(Note: There must be some action so here we “Tag” the message to represent no
operation taken. The fact that the content filter was “Matched” will allow it to show up
in reporting. No ‘Action” need be taken for it to show in Reporting.)
16
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer Facing.
ESA Incoming and Outgoing Content Filters - Best Practices
Name: Proprietary
Add One Condition:
Message Body or Attachment:
Contains term in dictionary: Proprietary
Add One Action:
Quarantine:
Send message to quarantine: “Proprietary (centralized)”
Duplicate message: Enabled
Because the “Policies” function is selected (you’ll see the Polices hypertext at the top middle)
the middle column shows the Outgoing Mail Policies the Content Filter has been applied to.
Because we have not applied them to any Outgoing Mail Policy, the “Not in use” is displayed.
Click on the “Disabled” text in the Content Filters cell for the Default Policy.
The pull-down menu button is set to “Disable Content Filters”. Click the button and set to
Enable Content Filters and you will immediately be presented with all Outgoing Content
Filters that have been created. Enable all filters.
17
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer Facing.
ESA Incoming and Outgoing Content Filters - Best Practices
You have now implemented initial Best Practices for Incoming and Outgoing Content
Filters. Most (not all) Content Filters used the Quarantine Action and elected to check
(Enable) “Duplicate message” option — which merely places a copy of the Original Email
and did not prevent the email from being delivered. The intent of these Content Filters is to
allow you to gather information about the types of emails flowing Inbound and Outbound
to your company.
Having said that, after running the Content Filters report and looking over the email copies
saved in the quarantines, it may be prudent to un-check the “Duplicate message” checkbox
option and thereby start placing the original email into the quarantine instead of a copy/
duplicate.
18
2015 Cisco and/or its affiliates. All rights reserved. This document is Customer Facing.